Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Log posting. Please help, thanx.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Log posting. Please help, thanx.

Unread postby GarrySelman » March 25th, 2007, 6:22 pm

Logfile of HijackThis v1.99.1
Scan saved at 23:04:34, on 25/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mwinlodv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: LÀFäPActivate

Product-zDC:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe C84DVn-}f(YR]eAR6.jiProductNonBootFiles>H%m,3ks$g($H)L[q8rscx
O1 - Hosts: \âÂ
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm
Advertisement
Register to Remove

Unread postby Susan528 » March 25th, 2007, 11:03 pm

Hello Garry and Welcome to Malware Removal,

STEP 1.
======
Uninstall Manager

Let's see if we can find out what it got installed with.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post

STEP 2.
======
HostsXpert

Please download HostXpert.
  1. Unzip HostsXpert.zip
  2. Double click on HostsXpert.exe
  3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion..
  4. Click on Make Hosts Read Only to secure it against further infection.
  5. Close program when complete.

STEP 3.
======
Please perform an online scan with Internet Explorer at
http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

STEP 4.
======
Deckard’s System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized[/size]
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply


Also please post (reply) with the log from Kapersky, and the Uninstall list.
Last edited by Susan528 on March 26th, 2007, 2:30 pm, edited 1 time in total.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby GarrySelman » March 26th, 2007, 2:00 pm

First off, as soon as I Click on the button "Save list", Hijackthis shuts down and no file is saved. Good start!! Garry.
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby Susan528 » March 26th, 2007, 2:31 pm

Okay, let's skip to Step2 and proceed and see what happens.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Rsults of Kaspersky Scan

Unread postby GarrySelman » March 27th, 2007, 1:09 pm

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 27, 2007 5:27:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/03/2007
Kaspersky Anti-Virus database records: 286813
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 110170
Number of viruses found: 9
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:16:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Garry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Garry\Local Settings\Application Data\Identities\{A495EE0E-0623-48C7-A17F-EE0E38AB9AA5}\Microsoft\Outlook Express\Sutton.dbx/[From "Gazzasutton" <Gazzasutton@aol.com>][Date Fri, 29 Oct 2004 12:38:37 +0200]/UNNAMED/price.exe Infected: Email-Worm.Win32.Bagle.at skipped
C:\Documents and Settings\Garry\Local Settings\Application Data\Identities\{A495EE0E-0623-48C7-A17F-EE0E38AB9AA5}\Microsoft\Outlook Express\Sutton.dbx/[From "Gazzasutton" <Gazzasutton@aol.com>][Date Fri, 29 Oct 2004 12:38:37 +0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.at skipped
C:\Documents and Settings\Garry\Local Settings\Application Data\Identities\{A495EE0E-0623-48C7-A17F-EE0E38AB9AA5}\Microsoft\Outlook Express\Sutton.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Garry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Garry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Garry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Garry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Garry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Garry\My Documents\My Zips\MP3MIXMASTER.exe/SetupMMSW.DLL Infected: not-a-virus:AdWare.Win32.TimeSink.d skipped
C:\Documents and Settings\Garry\My Documents\My Zips\MP3MIXMASTER.exe ZIP: infected - 1 skipped
C:\Documents and Settings\Garry\My Documents\My Zips\Outlook 11.11.06\zSutton.dbx/[From "Gazzasutton" <Gazzasutton@aol.com>][Date Fri, 29 Oct 2004 12:38:37 +0200]/UNNAMED/price.exe Infected: Email-Worm.Win32.Bagle.at skipped
C:\Documents and Settings\Garry\My Documents\My Zips\Outlook 11.11.06\zSutton.dbx/[From "Gazzasutton" <Gazzasutton@aol.com>][Date Fri, 29 Oct 2004 12:38:37 +0200]/UNNAMED Infected: Email-Worm.Win32.Bagle.at skipped
C:\Documents and Settings\Garry\My Documents\My Zips\Outlook 11.11.06\zSutton.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Garry\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Garry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Garry\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall7_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awvts.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped
C:\WINDOWS\system32\bkeudpet.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\btqiloju.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\eafhriyi.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\fmxkwfec.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\gmtquutd.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kqcmpfvd.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\nkdsregr.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINDOWS\system32\opnlklm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\WINDOWS\system32\thlnnlfh.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xehlmdgg.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\yospurmw.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby Susan528 » March 27th, 2007, 1:59 pm

You were not able to run Deckards System Scanner?

Can you run hijackthis again and post (reply) with a log?

Silent Runners

Download Silentrunners.zip from here and unzip it a new folder on your desktop.
  • Run the SilentRunners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click NO
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Deckards Main

Unread postby GarrySelman » March 27th, 2007, 8:43 pm

Deckard's System Scanner v20070318.32
Run by Garry on 2007-03-28 at 01:37:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-28 00:37:06 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Garry.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:38:53, on 28/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mwinlodv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Garry\Desktop\dss.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HIJACK~1\Garry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17E61077-7431-47DA-A165-CE1AA4EB4464} - C:\WINDOWS\system32\scvwfxxu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B5AD515B-D043-487B-95C7-22B9232807De} - C:\WINDOWS\system32\yupottre.dll (file missing)
O2 - BHO: (no name) - {C2334977-B955-44CC-8114-717A9F455095} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {C38AC86C-0192-46D9-9830-85D02A5A98F2} - C:\WINDOWS\system32\opnlklm.dll
O2 - BHO: (no name) - {FB32879C-BE8D-4015-A450-E465441EBDD1} - C:\WINDOWS\system32\jkkli.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] -C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] -rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] -C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NVRTCLK] -C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] -C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] -C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Logitech Utility] -Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] -"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] -C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DataLayer] -C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] -C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{69-99-90-01-ZN}] -c:\windows\system32\nkdsregr.exe OLI001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinlodv.exe OLI001
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\bkeudpet.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] -C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Live Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: fccbxww - C:\WINDOWS\SYSTEM32\fccbxww.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
O20 - Winlogon Notify: opnlklm - C:\WINDOWS\SYSTEM32\opnlklm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - -C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - -C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: svchost - Unknown owner - -C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 imagedrv - c:\windows\system32\drivers\imagedrv.sys
R0 imagesrv - c:\windows\system32\drivers\imagesrv.sys
R1 CTSYN (Creative S/W Synth) - c:\windows\system32\drivers\ctsyn.sys
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys
R2 STEC3 - c:\windows\system32\stec3.sys
R2 WIBUKEY (WIBU-KEY Kernel Driver) - c:\windows\system32\drivers\wibukey.sys
R3 LCcfltr (Logitech USB Filter Driver) - c:\windows\system32\drivers\lccfltr.sys
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys
R3 USR1806V (U.S. Robotics Voice Modem Driver 1806) - c:\windows\system32\drivers\usr1806v.sys

S0 MFX - c:\windows\system32\drivers\mfx.sys
S0 XMS1563K - c:\windows\system32\drivers\xms1563k.sys
S2 Ca533av (Icatch(IV) Video Camera Device) - c:\windows\system32\drivers\ca533av.sys
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys
S3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys
S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys
S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys
S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys
S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys
S3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys
S3 L8042PR2 (Logitech PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042pr2.sys
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys
S3 Nokia USB Port - c:\windows\system32\drivers\nmwcdcj.sys
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys
S3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys
S3 umpusbxp (UPort 1 on Nokia Adapter) - c:\windows\system32\drivers\umpusbxp.sys
S3 usb2vcom (USB Data Cable) - c:\windows\system32\drivers\usb2vcom.sys
S3 USBCamera (Icatch(IV) Still Camera Device) - c:\windows\system32\drivers\bulk533.sys
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs

S2 btwdins (Bluetooth Service) - -c:\program files\widcomm\bluetooth software\bin\btwdins.exe (file missing)
S2 svchost - -c:\program files\common files\microsoft shared\msinfo\rejoice2007.exe (file missing)
S3 IDriverT (InstallDriver Table Manager) - -"c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" (file missing)
S3 iPod Service - -"c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 MSCSPTISRV - -"c:\program files\common files\sony shared\avlib\mscsptisrv.exe" (file missing)
S3 NetSvc (Intel NCS NetService) - -c:\program files\intel\ncs\sync\netsvc.exe (file missing)
S3 PACSPTISVR - -"c:\program files\common files\sony shared\avlib\pacsptisvr.exe" (file missing)
S3 SPTISRV (Sony SPTI Service) - -"c:\program files\common files\sony shared\avlib\sptisrv.exe" (file missing)
S3 SSScsiSV (SonicStage SCSI Service) - -c:\program files\common files\sony shared\avlib\ssscsisv.exe (file missing)
S3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe -k usnsvc
S3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - -"c:\program files\windows media player\wmpnetwk.exe" (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-03-25 08:51:11 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-28 and 2007-03-28 -----------------------------

2007-03-27 19:58:16 26730 --a------ C:\WINDOWS\system32\fccbxww.dll
2007-03-27 14:20:20 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-27 14:20:18 0 d-------- C:\WINDOWS\LastGood
2007-03-26 16:53:45 88340 --a------ C:\WINDOWS\system32\eafhriyi.exe
2007-03-25 14:00:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-25 09:30:24 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-24 15:27:03 88340 --a------ C:\WINDOWS\system32\thlnnlfh.exe
2007-03-23 15:27:00 88340 --a------ C:\WINDOWS\system32\btqiloju.exe
2007-03-22 12:46:40 88340 --a------ C:\WINDOWS\system32\yospurmw.exe
2007-03-21 23:46:40 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-03-21 12:46:37 88340 --a------ C:\WINDOWS\system32\xehlmdgg.exe
2007-03-19 20:41:54 719688 ---hs---- C:\WINDOWS\system32\stvwa.bak1<STVWA~1.BAK>
2007-03-19 20:41:54 88340 --a------ C:\WINDOWS\system32\fmxkwfec.exe
2007-03-19 20:41:38 280676 ---hs---- C:\WINDOWS\system32\awvts.dll
2007-03-19 17:59:37 88340 --a------ C:\WINDOWS\system32\gmtquutd.exe
2007-03-18 08:56:06 88340 --a------ C:\WINDOWS\system32\kqcmpfvd.exe
2007-03-18 08:55:34 720166 --ahs---- C:\WINDOWS\system32\ilkkj.bak1<ILKKJ~1.BAK>
2007-03-18 08:55:34 123412 --a------ C:\WINDOWS\system32\bkeudpet.dll
2007-03-18 02:27:20 26552 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-03-18 02:21:56 183808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe<NDNUNI~2.EXE>
2007-03-18 02:19:03 45086 --a------ C:\WINDOWS\system32\nkdsregr.exe
2007-03-18 02:16:53 0 d-------- C:\Program Files\SlySoft
2007-03-18 02:15:16 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-03-18 02:15:12 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-18 02:15:09 50688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe<NDNUNI~1.EXE>
2007-03-18 02:15:08 184430 --a------ C:\WINDOWS\system32\mwinlodv.exe
2007-03-18 02:15:07 0 d--hs---- C:\WINDOWS\R2FycnkgU2VsbWFu<R2FYCN~1>
2007-03-18 02:14:56 22626 --ahs---- C:\WINDOWS\system32\opnlklm.dll
2007-03-05 19:01:09 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst<PLAYFI~1>
2007-03-03 21:27:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-03-03 20:29:52 0 d--hs---- C:\WINDOWS\ftpcache
2007-03-03 17:27:35 0 d-------- C:\My Games<MYGAME~1>
2007-03-03 17:27:27 0 d-------- C:\My Download Files<MYDOWN~1>
2007-03-03 17:26:06 774144 --a------ C:\Program Files\RngInterstitial.dll<RNGINT~1.DLL>


-- Find3M Report ---------------------------------------------------------------

2007-03-27 08:00:04 0 d-------- C:\Documents and Settings\Garry\Application Data\AVG7
2007-03-22 02:54:03 0 d-------- C:\Program Files\Common Files\Real
2007-03-19 22:17:36 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-19 18:16:16 0 d---s---- C:\Documents and Settings\Garry\Application Data\Microsoft<MICROS~1>
2007-03-07 03:09:06 0 d-------- C:\Program Files\Google
2007-03-03 21:34:29 0 d-------- C:\Program Files\Real
2007-02-23 23:22:55 0 d-------- C:\Documents and Settings\Garry\Application Data\SlySoft
2007-02-23 21:59:43 0 d-------- C:\Program Files\YAMP
2007-02-22 01:23:59 0 d-------- C:\Program Files\Winamp
2007-02-11 13:35:29 0 d-------- C:\Program Files\CloneDVD
2007-02-06 23:37:05 0 d-------- C:\Program Files\DivX
2007-02-04 23:22:37 0 d-------- C:\Program Files\PC Doc Pro<PCDOCP~1>
2007-02-04 10:27:07 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-02-01 05:56:06 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
2007-02-01 05:56:05 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
2007-02-01 05:56:05 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
2007-02-01 05:56:04 639066 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-31 22:27:01 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-31 00:15:10 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
2007-01-30 06:03:40 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 06:03:34 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 06:03:34 116472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 06:03:34 129784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-01-30 06:03:26 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 06:03:26 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-30 05:56:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-30 05:56:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-30 05:56:54 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-30 05:56:52 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-30 05:56:52 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-30 05:56:52 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-30 05:56:52 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="-C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRONoMgr.exe"="-C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"BluetoothAuthenticationAgent"="-rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"REGSHAVE"="-C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"NVRTCLK"="-C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"NeroFilterCheck"="-C:\\WINDOWS\\system32\\NeroCheck.exe"
"AudioHQ"="-C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Creative Launcher"="-C:\\Program Files\\Creative\\Launcher\\CTLauncher.exe"
"Logitech Utility"="-Logi_MwX.Exe"
"Share-to-Web Namespace Daemon"="-C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="-\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundMan"="-SOUNDMAN.EXE"
"SunJavaUpdateSched"="-\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"SsAAD.exe"="-C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"DataLayer"="-C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="-C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"NvCplDaemon"="-RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="-nwiz.exe /install"
"NvMediaCenter"="-RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="-\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"{69-99-90-01-ZN}"="-c:\\windows\\system32\\nkdsregr.exe OLI001"
"ExploreUpdSched"="C:\\WINDOWS\\system32\\mwinlodv.exe OLI001"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\system32\\bkeudpet.dll\",setvm"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{C38AC86C-0192-46D9-9830-85D02A5A98F2}"=""
"{182B90A3-F372-438A-800C-6814B4DE417B}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=dword:00000000
"NoClose"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.hornby.com/img/lvestm/pic_instr.jpg

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbxww
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlklm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-03-28 at 01:39:46 ---------
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Deckards Extra

Unread postby GarrySelman » March 27th, 2007, 8:43 pm

Deckard's System Scanner v20070318.32
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.60GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.60GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.48 MiB / 562.48 MiB
Pagefile Memory (total/avail): 1950.66 MiB / 1621.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1985.42 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.79 GiB total, 16.28 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.446 v7.5.446 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Garry\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AURORA2005-6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Garry
LOGONSERVER=\\AURORA2005-6
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Garry\LOCALS~1\Temp
TMP=C:\DOCUME~1\Garry\LOCALS~1\Temp
USERDOMAIN=AURORA2005-6
USERNAME=Garry
USERPROFILE=C:\Documents and Settings\Garry
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Garry (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> Dummy
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DSexVilla-017.001 (Cracked) --> MsiExec.exe /I{49C81154-F39B-46D4-A0BF-97EE18E6B6D9}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Canon i865 --> C:\WINDOWS\system32\CNMCP5m.exe "-PRINTERNAMECanon i865" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i865 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i865 Installer\Inst2\cnmi0409.dll"
Cars - Radiator Springs Adventures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F36DDC8-9EAC-4B71-8CF6-70E9BF28B855}\setup.exe" -l0x9 -uninst
CloneDVD 3.6 --> "C:\Program Files\CloneDVD\unins000.exe"
Cute CD DVD Burner V2.6 --> C:\PROGRA~1\CUTECD~1\UNWISE.EXE C:\PROGRA~1\CUTECD~1\INSTALL.LOG
CuteFTP 7 Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}\Setup.exe" -l0x9
Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1205500-2179-11D7-B0B9-0000E24D4B29}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Region-Free 3.10 --> "C:\Program Files\DVD Region-Free\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe"
GEAR Software Drivers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GEAR Software\Driver Installer\DeIsL1.isu" -c"C:\Program Files\GEAR Software\Driver Installer\UNINSTALL\UninstWDM.dll"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Hide IP Platinum 3.1 --> "C:\Program Files\Hide IP Platinum\unins000.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hornby Virtual Railway 2 v1.06 --> MsiExec.exe /X{F4A871F6-BFE1-4E05-9370-4F7B1EB5ECD8}
Hornby Virtual Railway Expansion Pack 1 --> MsiExec.exe /I{70009699-21DC-40EB-B534-DD7D81DEE48A}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Photo and Imaging 2.1 - Scanjet 2400 Series --> MsiExec.exe /I{6F7ECD56-E224-4263-9B7E-158E5CECC43B}
Icatch(IV) Camera Driver --> Rundll32 advpack.dll,LaunchINFSectionEx C:\WINDOWS\CA533A.ini, Ca533AUnInstall
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iPod for Windows 2005-11-17 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8338BA06-E527-491B-9400-F51708FEE695} /l1033
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Kazaa Lite Resurrection 0.0.7.6 F --> "C:\Program Files\Kazaa Lite Resurrection\unins000.exe"
LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Train Simulator gmax Gamepack --> MsiExec.exe /X{8226A577-657C-4961-8DDC-EAC8DF61B465}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Motorola PST --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8CC5BF82-4DD4-11D4-A39F-00C04F05E3F0}\Setup.exe" -l0x9 anything
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
NeroMIX --> C:\WINDOWS\UNNMIX.exe /UNINSTALL
Nokia Connectivity Adapter Cable DKU-5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1BA3CD5-89DC-4273-8603-A75F33E9B335}\Setup.exe" -l0x9
Nokia Connectivity Cable Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3C1599DA-9ED9-4090-930F-B8BC4D99D6B0} /l2057
Nokia PC Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{FBD6A335-7E02-43B0-AF58-1B472F9BD3E1} /l2057
NVIDIA Display Driver --> C:\WINDOWS\system32\nvudisp.exe Uninstall C:\WINDOWS\system32\nvdisp.nvu,NVIDIA Display Driver
OpenMG Limited Patch 4.2-05-07-27-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.2-05-07-27-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.2.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{849ABF1A-6AE3-45E1-B260-D5447B2F29F5} UNINSTALL
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PC Doc Pro 3.5 --> "C:\Program Files\PC Doc Pro\unins000.exe"
PIMS & File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F340FE0-E93E-4A53-B5E4-19ED2648FCAE}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
RSD_LITE_2_5 --> MsiExec.exe /X{80B894AC-E0F4-42B2-9233-C492F03AC975}
ScreenCorder 1.0 --> C:\PROGRA~1\SCREEN~1\UNWISE.EXE C:\PROGRA~1\SCREEN~1\INSTALL.LOG
SonicStage 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Sound Blaster Live! 1024 --> C:\WINDOWS\CTDEL.EXE -[Sound Blaster Live! 1024
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Thomas & Friends - The Great Festival Adventure --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\The Great Festival Adventure\Uninst.isu"
Thomas Saves the Day --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDE5437B-7DC2-4BB4-BECA-B5E7633259D0}\setup.exe" -l0x9 -uninst
TRS2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE1289F-4025-41A5-AD17-101DB4D82CA7}\setup.exe" -l0x9
Universal Simlock Remover (remove only) --> "C:\Program Files\USR\uninstall.exe"
Virgin Digital Player --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{1B984730-6D0D-49C9-95EB-9E07C933723E}
WIBU-KEY Setup (WIBU-KEY Remove) --> C:\Program Files\WIBUKEY\Setup\SETUP32.EXE /R:{00060000-0000-1004-8002-0000C06B5161}
WIDCOMM Bluetooth Software --> MsiExec.exe /X{FE90E9E7-A158-4687-8853-DF677A939A61}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
YAMP v1.3 --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\YAMP\UnInst.log" "/APPNAME=YAMP v1.3"


-- End of Deckard's System Scanner: finished at 2007-03-28 at 01:39:46 ---------
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Silent Runners Text file

Unread postby GarrySelman » March 27th, 2007, 8:52 pm

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"PcSync" = "-C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PRONoMgr.exe" = "-C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [file not found]
"BluetoothAuthenticationAgent" = "-rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [file not found]
"REGSHAVE" = "-C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" [file not found]
"NVRTCLK" = "-C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [file not found]
"NeroFilterCheck" = "-C:\WINDOWS\system32\NeroCheck.exe" [file not found]
"AudioHQ" = "-C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [file not found]
"Creative Launcher" = "-C:\Program Files\Creative\Launcher\CTLauncher.exe" [file not found]
"Logitech Utility" = "-Logi_MwX.Exe" [file not found]
"Share-to-Web Namespace Daemon" = "-C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [file not found]
"TkBellExe" = "-"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]
"SoundMan" = "-SOUNDMAN.EXE" [file not found]
"SunJavaUpdateSched" = "-"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" [file not found]
"SsAAD.exe" = "-C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [file not found]
"DataLayer" = "-C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [file not found]
"PCSuiteTrayApplication" = "-C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" [file not found]
"NvCplDaemon" = "-RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [file not found]
"nwiz" = "-nwiz.exe /install" [file not found]
"NvMediaCenter" = "-RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [file not found]
"iTunesHelper" = "-"C:\Program Files\iTunes\iTunesHelper.exe"" [file not found]
"{69-99-90-01-ZN}" = "-c:\windows\system32\nkdsregr.exe OLI001" [file not found]
"ExploreUpdSched" = "C:\WINDOWS\system32\mwinlodv.exe OLI001" [empty string]
"2chkdsk" = "rundll32.exe "C:\WINDOWS\system32\bkeudpet.dll",setvm" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{17E61077-7431-47DA-A165-CE1AA4EB4464}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\scvwfxxu.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{B5AD515B-D043-487B-95C7-22B9232807De}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\yupottre.dll" [file not found]
{C2334977-B955-44CC-8114-717A9F455095}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\awvts.dll" [null data]
{C38AC86C-0192-46D9-9830-85D02A5A98F2}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnlklm.dll" [null data]
{FB32879C-BE8D-4015-A450-E465441EBDD1}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jkkli.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BTNEIG~1.DLL" ["WIDCOMM, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "C:\Program Files\Common Files\FotoNation\camview.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {HKLM...CLSID} = "Share-to-Web Upload Folder"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {HKLM...CLSID} = "Message View"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NVCPL.DLL" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{93994DE8-8239-4655-B1D1-5F4E91300429}" = (no title provided)
-> {HKLM...CLSID} = "DVDIdleShell Class"
\InProcServer32\(Default) = "C:\PROGRA~1\DVDREG~1\DVDShell.dll" ["Fengtao Software"]
<<!>> "{C38AC86C-0192-46D9-9830-85D02A5A98F2}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnlklm.dll" [null data]
<<!>> "{182B90A3-F372-438A-800C-6814B4DE417B}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fccbxww.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> awvts\DLLName = "C:\WINDOWS\system32\awvts.dll" [null data]
<<!>> fccbxww\DLLName = "fccbxww.dll" [null data]
<<!>> jkkli\DLLName = "C:\WINDOWS\system32\jkkli.dll" [file not found]
<<!>> opnlklm\DLLName = "opnlklm.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Garry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Garry" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Live Messenger"
"MenuText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "C:\Program Files\MSN Messenger\msnmsgr.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
Canon BJ Language Monitor i865\Driver = "CNMLM5m.DLL" ["CANON INC."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 175 seconds.
---------- (total run time: 241 seconds)
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby GarrySelman » March 27th, 2007, 8:59 pm

Not sure if you can see it from the logs but I'm getting this annoying little box keep popping up titled:
Microsoft Visual C++ Runtime Library.
Then in the box:
Buffer overrun detected! Program: C:\WINDOWS\explorer.exe
A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

"OK" (click button)


If I hit the OK button, windows partially shuts down then comes back on.
If I ignore it, things still seem to work ok but the box gets in the way.

Garry
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby Susan528 » March 28th, 2007, 9:02 am

Garry you have infected files. I am hoping that if we get rid of them maybe your pop-up with the C:\WINDOWS\explorer.exe will clear up. In the worst case you may have to format and reinstall Windows. I found one post that where person stated that if the Runtime error occured after reinstall of OS, it may be hardware related. But I do not think your case is due to hardware problems since your system is infected and the error is occuring now.

Let's try the following please.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {17E61077-7431-47DA-A165-CE1AA4EB4464} - C:\WINDOWS\system32\scvwfxxu.dll (file missing)
O2 - BHO: (no name) - {B5AD515B-D043-487B-95C7-22B9232807De} - C:\WINDOWS\system32\yupottre.dll (file missing)
O2 - BHO: (no name) - {C2334977-B955-44CC-8114-717A9F455095} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {C38AC86C-0192-46D9-9830-85D02A5A98F2} - C:\WINDOWS\system32\opnlklm.dll
O2 - BHO: (no name) - {FB32879C-BE8D-4015-A450-E465441EBDD1} - C:\WINDOWS\system32\jkkli.dll (file missing)
O4 - HKLM\..\Run: [{69-99-90-01-ZN}] -c:\windows\system32\nkdsregr.exe OLI001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinlodv.exe OLI001
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\bkeudpet.dll",setvm
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: fccbxww - C:\WINDOWS\SYSTEM32\fccbxww.dll
O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
O20 - Winlogon Notify: opnlklm - C:\WINDOWS\SYSTEM32\opnlklm.dll

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\Documents and Settings\Garry\My Documents\My Zips\MP3MIXMASTER.exe<=file
C:\WINDOWS\NDNuninstall6_38.exe<=file
C:\WINDOWS\NDNuninstall7_48.exe<=file
C:\WINDOWS\SYSTEM32\fccbxww.dll<=file
C:\WINDOWS\system32\awvts.dll<=file
C:\WINDOWS\system32\bkeudpet.dll<=file
C:\WINDOWS\system32\btqiloju.exe<=file
C:\WINDOWS\system32\eafhriyi.exe<=file
C:\WINDOWS\system32\fmxkwfec.exe <=file
C:\WINDOWS\system32\gmtquutd.exe<=file
C:\WINDOWS\system32\kqcmpfvd.exe<=file
C:\WINDOWS\system32\nkdsregr.exe<=file
C:\WINDOWS\system32\opnlklm.dll <=file
C:\WINDOWS\system32\thlnnlfh.exe<=file
C:\WINDOWS\system32\xehlmdgg.exe <=file
C:\WINDOWS\system32\yospurmw.exe<=file
C:\WINDOWS\system32\mwinlodv.exe<=file
C:\WINDOWS\system32\stvwa.bak1<=file
C:\WINDOWS\system32\ilkkj.bak1<=file
C:\WINDOWS\R2FycnkgU2VsbWFu<=file
Exit Explorer, and reboot as normal afterwards.

Post (reply) with a fresh HijackThis log and we will take another look. Also let me know if you still are receiving the pop-up error.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby GarrySelman » March 28th, 2007, 1:47 pm

Done all that.
I couldn't find either:
C:\WINDOWS\system32\awvts.dll<=file
or
C:\WINDOWS\R2FycnkgU2VsbWFu<=file

Other than those, all were deleted.
Just going to reboot in normal mode now.
Will post Hijackthis log in next post in a moment.

Garry.
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

2nd Hijackthis log

Unread postby GarrySelman » March 28th, 2007, 2:06 pm

Logfile of HijackThis v1.99.1
Scan saved at 19:04:38, on 28/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [PRONoMgr.exe] -C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] -rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [REGSHAVE] -C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NVRTCLK] -C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AudioHQ] -C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] -C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Logitech Utility] -Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] -C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] -"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] -C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DataLayer] -C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] -C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\asvafutd.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] -C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Live Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\msnmsgr.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promot ... WebAAS.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - -C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - -"C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - -C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: svchost - Unknown owner - -C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby GarrySelman » March 28th, 2007, 2:13 pm

After that, ThinkAdz seems to have gone. I haven't had the runtime error popup yet but I have had a IE7 popup another web page opened to this url: <url removed for safety of others> when I posted the log previously, although I did have to lower all the IE7 security right down to minimum. Is is ok to turn it back up now, maybe that will fix the EI popup?????

Garry.

Edited to remove link to live malware - random/random
GarrySelman
Regular Member
 
Posts: 34
Joined: March 25th, 2007, 6:11 pm

Unread postby Susan528 » March 28th, 2007, 3:34 pm

Hi Garry,

Your log looks better.

That url you posted is bad. You can read about it here.
http://msmvps.com/blogs/spywaresucks/ar ... 10588.aspx


There are a couple of files that I would like you to check out with Jotti to double-check that they are bad before we pursue deleting them.
STEP 1.
======
Please show all files for your system.
You will need to reverse this process when all steps are done.


Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\system32\asvafutd.dll
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

STEP 2.
======
Please repeat Step 1 for this file also (if it exists)
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice2007.exe

STEP 3.
======
Only for Windows XP and Windows 2000

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Image

______________________________

Please download the trial version of AVG anti-spyware 7.5from here:
http://www.ewido.net/en/download/
  • Install AVG anti-spyware anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run AVG anti-spyware for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update AVG anti-spyware to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close AVG.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG anti-spyware manual updates. Make sure to close AVG anti-spyware before installing the update.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt
Also let me know about the Jotti results from Step 1 and Step 2.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware